The Secure Exchange of Protected Health Information

To demonstrate meaningful use of electronic health records (EHR), as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, hospitals must fulfill the seemingly contradictory mandates to increase the sharing of patients’ protected health information (PHI) while also keeping it secure.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in May 2014 reached a record-setting $4.8 million settlement with New York Presbyterian Hospital and Columbia University in a case in which electronic PHI of 6,800 individuals, including patient status, vital signs, medications and laboratory results, was exposed on the Internet.

A year earlier, OCR reached a $1.2 million settlement with Affinity Health Plan over that company’s failures to remove the PHI of nearly 345,000 individuals from the hard drives inside photocopiers it returned to a leasing agent, to include the devices in its analysis of risks and vulnerabilities and to implement policies and procedures for the devices’ return.

These settlements came in the wake of the Final HIPAA Omnibus Rule of 2013, in which OCR had increased the penalties for HIPAA privacy and security rule violations from $25,000 to a maximum of $1.5 million per violation.

The High Cost of Protected Health Information Being at Risk

From the start of the federal reporting requirement in September 2009 into early June 2014, the number of people with medical records exposed in a reportable data breach had reached nearly 31.7 million — equal to 10% of the U.S. population. The cumulative number of breaches involving more than 500 patients passed 1,000. The number of breaches involving fewer than 500 had passed 116,000 a year earlier.

In its Fourth Annual Benchmark Study on Patient Privacy & Data Security, published in March 2014, the data security and privacy research organization the Ponemon Institute reported that 90% of healthcare organizations in its survey experienced at least one data breach within two years; 38% said they had more than five incidents. Even if these breaches didn’t result in federal fines or multi-million dollar settlements, they still took a toll. Ponemon calculates that, on average, breaches cost the surveyed organizations $2 million over two years. Projecting those figures industry-wide, Ponemon estimates data breaches cost the healthcare industry up to $5.6 billion annually.

The Compliance Officer’s Dilemma: Keeping PHI Secure While Making it Accessible

Theft or loss of mobile devices, laptops and portable media containing unencrypted PHI continues to be the leading source of reported HIPAA data breaches, accounting for 45% of incidents and 83% of affected records in 2013. Over 20% of incidents involved unauthorized access, separate from hacking, often by employees or other insiders.

In line with the reported incidence of theft, loss and unauthorized access, 83% of hospital respondents in the Healthcare Information and Management Systems Society’s 6th Annual Security Survey (published in February 2014) said the risks that concerned them most were human-related factors such as employees losing devices, unintentionally disclosing information or actively interfering with security access controls. In the Ponemon study, 47% of respondents had little to no confidence they could detect all loss or theft of patient data.

The many touchpoints in the creation, use and sharing of PHI invite the risk of human error or bad intent. Security is not the priority of employees who handle PHI. Hospital staff will often do what they think it takes to get their jobs done, such as sending documents or pictures to themselves from their cell phones, even if not compliant.

PHI is put at risk by such activities as admission orders, discharge instructions, prescriptions, clinical summaries and other PHI-containing documents printed to shared multifunction devices (MFDs) could expose patient information if left sitting in the output tray or picked up by the wrong person. Documents stored in the MFD’s hard drive could be improperly printed out or copied onto a USB stick.

Without encryption, user authentication, audit trails or other security controls, each document and action presents a risk of exposure and a point of vulnerability where PHI can be accidentally misdirected or intentionally compromised. That’s why a new risk assessment tool prepared by the Office of the National Coordinator for Health Information Technology (ONC) mentions copiers 15 times as being workstations on which PHI must be protected with administrative, physical and technical safeguards that:

These requirements are found throughout sections 164.306 (general), 164.308 (administrative safeguards), 164.310 (physical safeguards) and 164.312 (technical safeguards) of the HIPAA Security Rule.

Simple, Secure and Compliant Exchange of Patient Information

Adding a layer of automated security and control to both electronic and paper-based processes, a capture and output platform can minimize the manual work and decisions that invite human error, mitigate the risk of non-compliance and help hospitals avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.

Look for a software solution that combines multiple security best practices into a complete process for reducing vulnerabilities in capturing and sharing PHI:

• Authorization – Only authorized staff can access specific devices, network applications and resources. This is secured through password- or smart card-based authentication. Network authentication is seamlessly integrated with the document workflow and to ensure optimal auditing and security, documents containing PHI are captured and routed to various destinations such as email, folders, fax, line of business applications and EHR systems.

• Authentication – User credentials must be verified at the device, by PIN/PIC code, proximity (ID) or by swiping a smart card to access documents containing PHI. Once users are authenticated, the solution also controls what they can and cannot do. It enables or restricts email or faxing and prohibits documents with PHI from being printed, faxed or emailed.

• Encryption – Communications between smart MFDs and mobile terminals, the server and destinations such as the EHR are encrypted to ensure documents are only visible to those users with proper authorization.

• File Destination Control – Simultaneous monitoring and auditing of patient information in documents ensures PHI is controlled before it ever gets to its intended destination.

By simplifying users’ workflows as it transparently adds security, an advanced capture and output platform can increase employee acceptance and reduces the need for them to find workarounds that bypass security measures.

Consider the scanning of a document and emailing it to oneself in order to work with it electronically. In a non-compliant workflow, a worker might authenticate at the MFD, select scan as a function and enter their own email address as the destination. Besides requiring upwards of 30 keystrokes, this process is not compliant if the document or sending device are identified by a generic descriptor — BrandNamePrinterScan001.pdf, for example — or the action is not captured in an audit log.

This activity can be facilitated easily. A user walks up to the device, signs in by tapping their proximity card against the reader and then chooses scan to my email from a list of pre-defined and pre-authorized workflows displayed on the MFD’s control panel. It’s a faster, simpler, error-free process and — with the activity audited as to user, device, action, email address, date and time and document metadata — fully HIPAA-compliant.

A Complete Audit Trail

Even before the ONC’s newest risk assessment tool extended HIPAA security requirement to copiers, HIPAA security standards had always required covered entities to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. By building an HL-7 based audit trail of all copy, print, scan, email and fax activity at every networked MFD, including paths to document images, using the right kind of advanced capture and output platform will bring use of these devices into HIPAA compliance.

Just as important, reviewing the audit log helps a hospital to identify a breach, take prompt corrective action, issue the necessary notifications and avoid the cost of fines. That’s because correcting a violation within 30 days of acquiring “actual or constructive” knowledge of it provides an “affirmative defense” and immunity against HIPAA’s civil monetary penalties.

The Looming Deadline

As a deadline approaches for hospitals to demonstrate meaningful use of electronic health records the monetary penalties for failing to secure patients’ protected health information increase. There are simply too many touchpoints that create risk in sharing PHI, most of these involving the technologies that hospitals are counting on to deliver the benefits of EHR — especially smart devices that copy, print, scan, fax and email.

The use of an advanced capture and output platform can enable HIPAA-compliant secure exchange of PHI by adding a layer of security and control to paper-based and electronic processes. Transparently applying automated security techniques that cannot be circumvented, this advanced capture and output platform authenticates users, controls the access to workflows, encrypts data and builds and maintains an audit trail of all user activity. Look to advanced capture and output platform to minimize the manual work and decisions that invite human error, mitigate the risk of non-compliance and avoid potential fines, reputation damage and other costs of HIPAA violations and privacy breaches.

Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
click here to notify
Toolbox for IT.